Multiple vulnerabilities in Oracle FLEXCUBE Private Banking
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2020-11979 CVE-2020-27218 CVE-2020-11998 CVE-2020-5413 CVE-2021-26117 |
| CWE-ID | CWE-264 CWE-20 CWE-287 CWE-502 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle FLEXCUBE Private Banking Other software / Other software solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47428
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-11979
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect patch for vulnerability #VU27924 (CVE-2020-1945). Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU52502
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-27218
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The vulnerability exists due to improper input validation within the SC Admin server (Eclipse Jetty) component in Oracle Communications Converged Application Server - Service Controller. A remote non-authenticated attacker can exploit this vulnerability to manipulate or delete data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Authentication
EUVDB-ID: #VU46680
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-11998
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote client to bypass authentication process.
The vulnerability exists due to an error in authentication process, caused by incorrect implementation of protection measures against JMX re-bind attack. A remote attacker can bypass authentication process by passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials.As a result, a remote client can create javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Deserialization of Untrusted Data
EUVDB-ID: #VU31796
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-5413
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can abuse built-in feature to serialize gadgets to execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Authentication
EUVDB-ID: #VU50072
Risk: High
CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-26117
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to a logic error in ActiveMQ LDAP login module when configured to to use anonymous access to the LDAP server. A remote attacker can provide a valid username and no password and gain unauthorized access to the system.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujul2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
